Sports fanatics using the CBS Sports app or mobile site recently may have had their personal information exposed to online theft, researchers say.
According to mobile security firm Wandera, both the Android and iOS versions of the app were found transferring users’ names, email addresses, account passwords, dates of birth and zip codes over an insecure connection.
Furthermore, the mobile CBS Sports website also failed to encrypt user data during the sign-up or log-in process, transmitting users’ email addresses and passwords in clear text.
Researchers discovered the security flaw last month – right in the midst of the March Madness NCAA basketball tournament, perhaps one of the most popular sporting events of the year.
Wandera warned the lack of encryption to protect such personally identifiable information (PII) potentially “left millions of people exposed to interception.”
“Since mobile users are vulnerable to man-in-the-middle attacks, we believe that this potential data exposure is very sensitive with a high impact surface area, especially during popular sports events where app and website usage is boosted significantly,” read Wandera’s threat advisory (PDF).
In a statement, a spokeswoman for CBS Sport Digital said the company had since resolved the security gap, while emphasizing it had found no indications that the data was, in fact, taken.
“Our internal teams are rigorous about monitoring our platforms for any potential security issues,” the spokeswoman said.
Wandera’s VP of Product Michael Covington noted that as more companies begin to offer services for mobile platforms, we are seeing time-to-market take precende over security best practices.
“Instead of developing mobile properties with the same security development lifecycle that is used for other aspects of their infrastructure, we are seeing developers push out code that clearly was not tested for the most basic of vulnerabilities,” Covington told Threatpost.